You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
js-yaml 4.2.0: Addresses MODERATE DoS vulnerability — Quadratic-complexity DoS in merge key handling via repeated aliases (dev-only transitive dependency)
Vulnerability Assessment
Severity
Count
Action
CRITICAL
0
—
HIGH
0
—
MODERATE
19 (dev-only)
Noted; require major version bumps to fix fully
LOW
1 (dev-only)
Fixed by @babel/core 7.29.7 in this PR
Verification
All 3053 tests pass
No breaking changes detected
Pre-existing test failure (agent-volumes-mounts DNS IP mismatch) confirmed unrelated to these dependency changes
Notes
Only package-lock.json is modified. package.json version ranges already cover these updates (npm update applied all within-range updates). The remaining MODERATE vulnerabilities require major version upgrades (jest 25.x, babel-jest 25.x) which represent breaking changes and are out of scope for this automated PR.
Generated by Dependency Security Monitor Workflow
Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
package-lock.json
The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.
Create the pull request manually
# Download the patch from the workflow run
gh run download 28008490685 -n agent -D /tmp/agent-28008490685
# Create a new branch
git checkout -b deps/safe-updates-2026-06-23-c9125aa803127713 main
# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-28008490685/aw-deps-safe-updates-2026-06-23.patch
# Push the branch and create the pull request
git push origin deps/safe-updates-2026-06-23-c9125aa803127713
gh pr create --title '[Deps] Safe dependency updates (2026-06-23)' --base main --head deps/safe-updates-2026-06-23-c9125aa803127713 --repo github/gh-aw-firewall
Automated Safe Dependency Updates
This PR contains safe dependency updates (within declared semver ranges) that have been verified to:
Updated Dependencies
@babel/core@babel/preset-env@commitlint/cli@commitlint/config-conventional@eslint/compat@types/node@typescript-eslint/*ajvbabel-jesteslintglobalsjestjs-yamlts-jestSecurity Fixes Included
@babel/core7.29.7: Fixes GHSA-4x5r-pxfx-6jf8 — Arbitrary File Read via sourceMappingURL Comment (LOW, CVSS 3.2, dev-only)js-yaml4.2.0: Addresses MODERATE DoS vulnerability — Quadratic-complexity DoS in merge key handling via repeated aliases (dev-only transitive dependency)Vulnerability Assessment
@babel/core7.29.7 in this PRVerification
agent-volumes-mountsDNS IP mismatch) confirmed unrelated to these dependency changesNotes
Only
package-lock.jsonis modified.package.jsonversion ranges already cover these updates (npm updateapplied all within-range updates). The remaining MODERATE vulnerabilities require major version upgrades (jest 25.x, babel-jest 25.x) which represent breaking changes and are out of scope for this automated PR.Generated by Dependency Security Monitor Workflow
Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
package-lock.jsonThe push was rejected because GitHub Actions does not have
workflowspermission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.Create the pull request manually